CA ITALIA LEAD PRIVACY POLICY

Who is the Controller of your personal data processing

Crédit Agricole Italia S.p.A. (hereinafter also “CA Italia”) – with Registered Office at Via Università, 1 - 43121 Parma, Italy, the Parent Company of the Crédit Agricole Italia Banking Group, which, in its capacity as the Controller of the processing of your personal data (hereinafter also the “Controller”) undertakes to protect your Personal Data, as defined below, provided by you who are a Lead, i.e. a Data Subject that asks us for a response to a request or some information.

In general, all the information and data provided to CA Italia by its Leads within the use of CA Italia services (“Services”) as defined 3 below, shall be processed by CA Italia in a lawful, fair and transparent manner.

What type of data will be processed?

The data that the Controller collects are those provided directly by the Data Subject within his or her request for response (e.g. information to start the application for a mortgage loan or another loan). These data make the customer or a third party identified or identifiable and are therefore classified as “Personal Data". The types of Personal Data that may be processed by CA Italia through the Services it provides to you are:

• Contact Personal Data: including, by way of example and not limited to, first name, last name, Taxpayer Identification Number, phone number and e-mail address, as well as the data and image of the identity document.
• Personal Data of third parties: Personal Data provided by Leads but regarding third-party natural persons (e.g. the phone number or e-mail address of spouses that are not customers of the Bank). For these data, the Lead shall be an independent controller of personal data processing, i.e. the Lead shall take all obligations and liability under the law, releasing CA Italy from liability and holding it harmless from any complaint, demand, claims for compensation of damage caused by the data processing, etc., which may be lodged against CA Italia by third parties whose Personal Data are process through the use of the Services violating the applicable legislation on personal data protection. In any case, Leads that provide Personal Data of third parties through the use of the Services shall hereby warrant - taking all associated liability - that the processing by CA Italia of said information has a suitable legal basis and is therefore lawful (e.g. consent).
• Personal Data from databanks: Personal Data acquired from third parties that are authorized to provide your personal data in order for us to give you specific Services or responses (e.g. consumer loans). Please, bear in mind that the processing of personal data belonging to special categories is not generally essential, but said data may have to be requested, especially health ones, only where necessary to give you a response about insurance products for which that type of data is necessary and relevant for the response (for example a detailed quotation of the cost of the product). Lastly, please bear in mind also that your data shall not be processed with automated means and for profiling purposes.

What is the legal basis and optionality of processing?

The legal bases on which Crédit Agricole Italia processes your Personal Data, for the purposes set out above, are the following:

• Response and Service Provision: data processing for these purposes is based on the need to provide the Lead with a response or Service. When the response for the Services involves Personal Data belonging to special categories, their processing is based, alternatively, on the need to provide a Service or on consent (e.g. when, in the capacity as data processor, Crédit Agricole Italia asks the Lead to complete a questionnaire prepared by a third party). When the Service Provision concerns Personal Data coming from databanks, their processing is based on the consent collected directly from the data subject by the third party having the databank. Providing Personal Data for these purposes is not mandatory, but, it they are not provided, Crédit Agricole Italia cannot provide you with any Service or Response.
• Compliance: the basis for data processing for this purpose is that CA Italia must comply with any and all its legal obligations. In this regard, the Personal Data provided by the Lead to CA Italia may be communicated to the Authorities listed in the next Paragraph for accounting, tax or other obligations, as well for administrative requirements within the Crédit Agricole Italia Banking Group.

Whom may your personal data be communicated to?

Your Personal Data may be shared with:

• Natural persons authorized by CA Italia to process Personal Data after signing a non-disclosure agreement (e.g. employees and system administrators of CA Italia);
• Entities that typically operate as External Data Processors, including, by way of example and not limited to, companies providing help desk services, advisory services, e-mail and mailing services, etc.);
• Entities, Institutions or Authorities to which your Personal Data shall mandatorily be communicated for the Service Provision or under the applicable law or orders issued by competent authorities pursuing the Compliance purpose;
• Companies belonging to the Crédit Agricole Italia Banking Group for administrative and accounting purposes;

Where do your Personal Data circulate?

Some of your Personal Data are shared with Recipients that may be outside the European Economic Area. Crédit Agricole Italia ensures that your Personal Data are processed by said Recipients in compliance with the applicable legislation. Indeed, data are transferred with appropriate safeguards, such as adequacy decisions, standard contractual clauses approved by the European Commission or other legal instruments.

For how long are your personal processed?

Having regard to the Response and Service Provision purposes, your Personal Data shall be kept only for the time necessary for pursuing these purposes. In any case, the above shall apply without prejudice to any longer period required under the applicable legislation, including Article 2946 of the Italian Civil Code, and for the Compliance purpose.

What is the address of the Data Protection Officer (“DPO”) of the Crédit Agricole Italia Banking Group?

The DPO’s e-mail address is: dpo@credit-agricole.it

What are your rights?

In your capacity as Lead, you have the right to obtain the following from Crédit Agricole Italia, at any time:

• Access to your Personal Data (or to a copy thereof), as well as further information on the processing underway of your Personal Data;
• The rectification or update of your Personal Data, if said data are incomplete or not up to date;
• The erasure of your Personal Data from CA Italia’s databases in the cases provided for by the applicable legislation in force at the relevant time;
• The right to object, on grounds relating to any particular situation you are in, at any time to processing of your personal data, pursuant to Article 6(1)(e) or (f) of the GDPR;
• Restriction of the processing of your Personal Data.

You can exercise your rights listed above writing to privacy@credit-agricole.it. In any case, you are entitled to lodge a complaint with the competent Supervisory Authority (Garante per la Protezione dei Dati Personali, the Italian Data Protection Authority).